File name:	UnivMenu_1.16.7z
Full analysis:	https://app.any.run/tasks/4c6a3e26-30ff-444a-9d2a-76e746e63694
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 13, 2024, 20:57:35
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	lumma stealer exfiltration pastebin silentcryptominer miner opendir crypto-regex upx
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	5A643CA6DB7C42CE8EF4F7FD7C9B1F98
SHA1:	DC0806360A0C41F0A8171633CA5BE6FA8B0BCA29
SHA256:	B00DB80C33FFFE8E0484331C39CB8A34210A6AE5B5C553920EF038B7DE087B20
SSDEEP:	98304:D00h6ACai0icMqaj54c3vKkg4n0S99z+kvhqG2x4cP2p+jSKqKP2Oe8y6BasGdPf:hdNrDZoTBJD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)


(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500F0886D5067D5DA01
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\UnivMenu_1.16.7z
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (10) - Copy.txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (11) - Copy.txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (16).txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (11).txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (12) - Copy.txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (13).txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (12).txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (14) - Copy.txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (15).txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9
2796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2796.8718\Data\gsdagsdg - Copy (17) - Copy.txt		text
		MD5:A855A4B3C1CEA75E19FEA7F6A2E0281B	SHA256:6FA90940945D0FEFA4E6433238D41C208244CF7449E9646F36A542DA78D394E9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	HEAD	200	23.35.236.109:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
1332	svchost.exe	GET	200	88.221.110.147:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
3984	svchost.exe	GET	304	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4853f0d6c45594a7	unknown	—	—	whitelisted
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	184.28.89.167:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4552	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1332	svchost.exe	88.221.110.216:80	—	Akamai International B.V.	DE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1504	svchost.exe	23.43.61.160:443	fs.microsoft.com	Akamai International B.V.	US	unknown
1332	svchost.exe	88.221.110.147:80	—	Akamai International B.V.	DE	unknown
3984	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3984	svchost.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
2844	svchost.exe	20.189.173.26:443	v10.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2844	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1088	svchost.exe	184.28.89.167:80	go.microsoft.com	AKAMAI-AS	US	unknown

Domain	IP	Reputation
google.com	142.250.186.46	whitelisted
fs.microsoft.com	23.43.61.160	whitelisted
login.live.com	20.190.160.22 40.126.32.76 40.126.32.133 40.126.32.74 40.126.32.72 40.126.32.134 20.190.160.17 40.126.32.68	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
v10.events.data.microsoft.com	20.189.173.26	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
bitchsafettyudjwu.shop	172.67.168.236 104.21.27.50	malicious
xmr-eu1.nanopool.org	51.15.193.130 51.89.23.91 146.59.154.106 51.15.65.182 54.37.232.103 212.47.253.124 141.94.23.83 163.172.154.142 51.15.58.224 54.37.137.114 162.19.224.121	whitelisted
pastebin.com	172.67.19.24 104.20.4.235 104.20.3.235	shared

PID	Process	Class	Message
1332	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
1656	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
1916	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity
—	—	A Network Trojan was detected	ET MALWARE Lumma Stealer Related Activity M2
—	—	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Win32/Lumma Stealer Check-In
1916	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain
—	—	Malware Command and Control Activity Detected	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
—	—	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration
1916	aspnet_regiis.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Lumma Stealer Related Domain

General Info

UnivMenu_1.16.7z

5A643CA6DB7C42CE8EF4F7FD7C9B1F98

DC0806360A0C41F0A8171633CA5BE6FA8B0BCA29

B00DB80C33FFFE8E0484331C39CB8A34210A6AE5B5C553920EF038B7DE087B20

98304:D00h6ACai0icMqaj54c3vKkg4n0S99z+kvhqG2x4cP2p+jSKqKP2Oe8y6BasGdPf:hdNrDZoTBJD

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

Adds extension to the Windows Defender exclusion list

Creates a writable file in the system directory

SILENTCRYPTOMINER has been detected (SURICATA)

Connects to the CnC server

LUMMA has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Internet Settings

Reads settings of System Certificates

Script adds exclusion extension to Windows Defender

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Searches for installed software

Uses powercfg.exe to modify the power settings

Process uninstalls Windows update

Script adds exclusion path to Windows Defender

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Contacting a server suspected of hosting an CnC

Executes as Windows Service

Connects to unusual port

Found regular expressions for crypto-addresses (YARA)

Crypto Currency Mining Activity Detected

Reads security settings of Internet Explorer

INFO

Drops the executable file immediately after the start

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Reads the software policy settings

Script raised an exception (POWERSHELL)

Reads the machine GUID from the registry

Creates files in the program directory

UPX packer has been detected

Executable content was dropped or overwritten

Create files in a temporary directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules